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DETAILED ACTION 

This office action is in response to application filed on May 13, 2005 in which 
claims 1-85 are presented for examination. 

Status of Claims 

Claims 1-85 are pending; of which claims 45 and 83 are in independent form. 
Claims 1-44 are canceled. Claims 45-85 are rejected under 35 USC 103(a) 

Claim Rejections - 35 USC § 103 

1 . The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

2. Claims 45-48, 52, 53, 55, and 83 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Sung-Do Chi et al. "Network security modeling and cyber attack 
simulation methodology." Information Security and Privacy. 6 th Australian Conference, 
ACISP 2001 , 07/1 1/01 , pages 320-333 in view of Apostal D et al "Checkmate network 
security modeling." Proceedings DARPA Information Survivability Conference and 
Exposition II. 06/12/01, pages 214-226, vol. 1. 

With respect to claim 45, Sung-Do Chi teaches the limitation of a "modeling 
phase, comprising on the one hand the specification of the architecture of the 
information system with a graphical representation of a set of components of the system 
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and relations between said components, each component being associated with at least 
one state initialized with a sound value, the relations between two determined 
components comprising propagation relations able to convey attacks, and on the other 
hand the specification of a set of behavioral rules, from the standpoint of the operation 
of the system and from the standpoint of security, associated with the components of 
the system, each behavioral rule comprising one or more predicates and/or one or more 
actions" (page 321, lines 10-18) as the network security modeling and cyber attack 
simulation employing the advanced modeling and simulation concepts that supports a 
hierarchical and modular modeling environment, which (page 323, lines 7-14) consists 
of a system entity structure (SES) and model base (MB). The SES represents the 
knowledge of decompositions, taxonomies, coupling specification and constraints. The 
model base contains models that are procedural in character, expressed in discrete 
event system specification formalism. Furthermore (page 325, lines 18-20) dynamics of 
the component models can be represented in various ways according to their respective 
state variables. Finally, Sung-Do Chi discloses the graphical representation (Fig. 8; 
page 331, lines 1-8) as SECUSIM system where users can set up initial conditions for 
simulation by using windows of each node. 

In addition, Sung-Do Chi discloses the limitation of "a simulation phase, 
comprising the specification and the simulation of potential attacks against the 
information system, a successful attack causing a state of a component to pass to an 
unsound value" (page 327, lines 10-12) as the attacker model outputs a sequence of 
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attacking commands according to its attacking scenario and (page 327, lines 19-23) he 
analyzer model can determine the number of successful attacks. 

It is noted, however, that Sung-Do Chi does not explicitly teach the limitation of 
"each component being associated with at least one state initialized with a sound 
value." 

On the other hand, Apostal teaches the abovementioned limitation (page 218, 
right column, lines 23-25) as the server allows client to view the state of nodes and 
resources. 

It would have been obvious to one of the ordinary skill in the art at the time of the 
invention to incorporate teachings of Apostal into the system of Sung-Do Chi to provide 
means for storing additional information about the network and its components. 

With respect to claim 46, Apostal teaches the limitation of "a name being 
associated with each component one or more adjectives may also be associated with 
said component, which adjectives make it possible to designate said component without 
naming it" (page 216, left column, lines 23-25) as nodes table is used to define 
particular nodes and some of their characteristics. 

With respect to claim 47, Apostal teaches the limitation of "determined states are 
associated with each component of the information system, each state being able to 
take a sound value and one or more unsound values" (page 218, right column, lines 23- 
25) as the server allows client to view the state of nodes and resources and (page 220, 
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lines 4-6) as the possible effects of an attack action include changing the state of a 
node or protocol. 

With respect to claim 48, Apostal teaches the limitation of "certain at least of said 
states pertain respectively to the activity, the confidentiality, the integrity and/or the 
availability of the component with which they are associated" (page 218, left column, 
lines 18-20) as mission objectives are modeled as nodes that need to be protected 
against availability, confidentiality or integrity attacks. 

With respect to claim 52, Sung-Do Chi teaches the limitation of "the relations 
between any two determined components comprise service relations making it possible 
to designate a component on the basis of another component" (page 325, lines 17-20) 
as network component model comprises various services such as Telnet, Email, Ftp, 
Web, and Packet Filtering. The dynamics of these component models can be 
represented in various ways according to their respective stated variables. 

With respect to claim 53, Sung-Do Chi teaches the limitation of "the behavioral 
rules comprise rules for propagating attacks, these rules being for example 
implemented in components which are vectors of attacks, and rules for absorbing 
attacks, these rules being for example implemented in components which are the target 
of attacks" (page 327, lines 10-12) as the attacker model outputs a sequence of 
attacking commands according to its attacking scenarios. 
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With respect to claim 55, Apostal teaches the limitation of "at the end of the 
modeling phase, the construction of a local routing table, making it possible to direct an 
attack from a start component to a finish component" (page 216, right column, lines 26- 
29) as map table that holds locations and size information for elements (nodes and 
network segments) that are drawn on the network map. 

With respect to independent claim 83, it is rejected in view of the same reasons 
as stated in the rejection of independent claim 45. 

3. Claims 49-51 , and 54 are rejected under 35 U.S.C. 1 03(a) as being unpatentable 
over Sung-Do Chi et al. "Network security modeling and cyber attack simulation 
methodology." Information Security and Privacy. 6 th Australian Conference, ACISP 
2001 , 07/1 1/01 , pages 320-333 in view of Apostal D et al "Checkmate network security 
modeling." Proceedings DARPA Information Survivability Conference and Exposition II. 
06/12/01, pages 214-226, vol. 1 as applied to claim 45, and further in view of Ritchey at 
al. "Using model checking to analyze vulnerabilities." Proceedings of the 2000 IEEE 
Symposium on Security and Privacy. 05/14-17/2000. Pages 156-165. 

With respect to claim 49, it is noted that neither Sung-Do Chi nor Apostal 
explicitly teach the limitation of "an alleged name may be associated with any 
determined component, in particular in the case where said determined component is a 
usurper." 
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On the other hand, Ritchey teaches the abovementioned limitation (page 162, left 
column, lines 43-46) as Hostid is sequentially assigned to each host and is used to 
index into the row and column of the connectivity matrix. The attacker is assigned 
hosted one, so the Hostid numbering starts at two. 

It would have been obvious to one of the ordinary skill in the art at the time of the 
invention to incorporate teachings of Ritchey into the system of Sung-Do Chi and 
Apostal to provide a straight-forward method of determining whether a host can 
communicate with another host. 



With respect to claim 50, Ritchey teaches the limitation of "a link to another 
component may be associated with any determined component, in particular in the case 
where said determined component is usurped and where said other component is a 
usurper" (page 162, right column, lines 36-41) as the connectivity matrix is used to 
determine whether a host can communicate with another host. The host ids for the 
source and destination hosts are used to index into the row and column of the matrix to 
determine if communication is possible. 



With respect to claim 51 , Ritchey teaches the limitation of "the propagation 
relations are bidirectional relations able to convey attacks in both directions" (page 160, 
right column, lines 34-40) as in our SMV example we have modeled connectivity with a 
Boolean matrix that has the distinct disadvantage of not allowing our model to describe 
partial connectivity. This choice was made to simplify the example. It would be an easy 
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task to add a richer connectivity description to our method that includes common 
network connectivity details such as port numbers. 

With respect to claim 54, it is noted that neither Sung-Do Chi nor Apostal 
explicitly teach the limitation of "the behavioral rules comprise binary rules, for example 
Boolean logic conditions giving a value of type yes/no, and/or functional rules, for 
example logic conditions involving a routing action (for a propagation rule) or contagion 
action (for an absorption rule)." 

On the other hand, Ritchey teaches the abovementioned limitation (page 163, left 
column, lines 11-13) as an exploit is described by a case statement that determines 
whether all of the prerequisites for the exploit have been met. 

It would have been obvious to one of the ordinary skill in the art at the time of the 
invention to incorporate teachings of Ritchey into the system of Sung-Do Chi and 
Apostal to provide a better way to determine the severity and probability of the system's 
exploits. 

4. Claims 56, 57, 59-61 , 67-69, 71-73, 84, and 85 are rejected under 35 
U.S.C. 103(a) as being unpatentable over Sung-Do Chi et al. "Network security 
modeling and cyber attack simulation methodology." Information Security and Privacy. 
6 th Australian Conference, ACISP 2001 , 07/1 1/01 , pages 320-333 in view of Apostal D 
et al "Checkmate network security modeling." Proceedings DARPA Information 
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Survivability Conference and Exposition II. 06/12/01, pages 214-226, vol. 1 as applied 
to claim 55 above, and further in view of Gupta et al. (US 7,289,456 B2). 

It is noted that neither Sung-Do Chi nor Apostal teach the limitation of "the local 
routing table is generated automatically according to the principle of the shortest path 
between the start component and the finish component." 

On the other hand, Gupta teaches the abovementioned limitation (column 13, 
lines 47-59) as the routing engine will determine multiple paths between the two routing 
nodes. Specifically, the routing engine may determine a shortest path and one or more 
alternate shortest paths (i.e., a second, third, etc. alternate shortest path), using for 
example, the Dijkstra Algorithm. The former determination can be performed by first 
determining a shortest path to the destination node and by then determining alternate 
shortest paths by determining a shortest path to each of the destination node's 
neighboring routing nodes. 

It would have been obvious to one of the ordinary skill in the art at the time of the 
invention to incorporate teachings of Gupta into the system of Sung-Do Chi and Apostal 
to provide more efficient network model. 

With respect to claim 57, Apostal teaches the limitation of "the attacks simulation 
step comprises the updating of the state of a component of the system altered by a 
successful attack" (page 220, lines 2-6) as the Checkmate server evaluates the attack 
action and applies the effects of that action to the model network. The possible effects 
of an attack action include changing the state of a node or protocol. 
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With respect to claims 59 and 60, Apostal teaches the limitations of "the attacks 
comprise elementary attacks corresponding to unsound state values" and "the attacks 
further comprise a special usurping attack" (page 219, left column, lines 9-13) as an 
attacker can send commands that simulate requests for service functionality, that 
change services or nodes, and that exploit vulnerabilities. 

With respect to claim 61 , Apostal teaches the limitation of "an attack is defined, in 
particular, by a type of attack, a type of protocol, and attack path elements" (page 218, 
left column, line 20 - right column, line 1) as each role has associated with it a number 
of characteristics including: a set of nodes to attack, a set of nodes to defend, a set of 
mission objectives, a set of initial resources, and a level of programming ability. 

With respect to claim 67, Sung-Do Chi teaches the limitation of "the attacks are 
defined in a language using the same words as a language in which the behavioral 
rules are defined" (page 325, lines 5-8) as the experimental frame concept may be 
suitably utilized to couple with a given network model, generates input external events 
(cyber attack commands), monitor its running (consequences), and process its output 
(vulnerability). 

With respect to claim 68, Sung-Do Chi teaches the limitation of "the modelling 
phase and/or the simulation phase are implemented by a user by means of a 
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man/machine interface comprising a multiview functionality, wherein a graphical 
representation of the system is presented to the user as several views" (page 331 , lines 
1-8) as a network security simulation system where users can set up initial conditions 
for simulation by using windows of each node. The can also try to test various cases by 
attaching attacker and analyzer to any particular node. Procedures of simulation can be 
checked by the packet-based animation and more detailed procedures can be checked 
through given windows. 

With respect to claim 69, it is rejected in view of the same reasons as stated in 
the rejection of claim 68. 

With respect to claim 71 , it is noted that neither of Sung-Do Chi, Apostal, and 
Gupta teach the limitation of "the behavioural rules for the components belonging to a 
view do not call by name upon components belonging to another view." 

On the other hand, examiner takes the official notice that isolation of the 
elements is in the network system is not a novel concept and therefore, it would have 
been obvious to one of the ordinary skill in the art to provide no other ways for 
components to reference each other, other than through the information defined in the 
routing table controlled by the administrator to improve the security of the system. 

With respect to claims 72 and 73, they are rejected in view of the same reasons 
as stated in the rejection of claim 68. 
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With respect to claims 84 and 85, they are rejected in view of the reasons stated 
in the rejection of claim 68. 

5. Claim 58 is rejected under 35 U.S.C. 103(a) as being unpatentable over Sung-Do 
Chi et al. "Network security modeling and cyber attack simulation methodology." 
Information Security and Privacy. 6 th Australian Conference, ACISP 2001 , 07/1 1/01 , 
pages 320-333, Apostal D et al "Checkmate network security modeling." Proceedings 
DARPA Information Survivability Conference and Exposition II. 06/12/01, pages 214- 
226, vol. 1 , and Gupta et al. (US 7,289,456 B2) as applied to claim 57 above, and 
further in view of Dowd etal. (US 7,315,801 B1). 

With respect to claim 58, it is noted that neither of Sung-Do Chi, Apostal, or 
Gupta teach the limitation of "the simulation phase furthermore comprises the building 
of a file or journal of the attacks, containing the log of the changes of the state of the 
components consequent upon successful attacks, in particular to allow subsequent 
processing by a user." 

On the other hand, Dowd teaches the abovementioned limitation (column 14, 
lines 11-13) as the security modeling system includes a log or a recorder which allows 
the system to play back the moves of an attacker or defender or both. 

It would have been obvious to one of the ordinary skill in the art at the time of the 
invention to incorporate teachings of Dowd into the system of Sung-Do Chi, Apostal, 
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and Gupta because the system logs would provide the ability for the administrator to 
examine data retroactively. 

6. Claims 62-66 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Sung-Do Chi et al. "Network security modeling and cyber attack simulation 
methodology." Information Security and Privacy. 6 th Australian Conference, ACISP 
2001 , 07/1 1/01 , pages 320-333, Apostal D et al "Checkmate network security 
modeling." Proceedings DARPA Information Survivability Conference and Exposition II. 
06/12/01 , pages 214-226, vol. 1 , and Gupta et al. (US 7,289,456 B2) as applied to claim 
61 above, and further in view of Cohen et al. (US 6,952,779 B1 ). 

With respect to claim 62, it is noted that neither of Sung-Do Chi, Apostal, or 
Gupta explicitly teach the limitation of "the attack path elements comprise a start 
component, a finish component, a target component, and as appropriate one or more 
intermediate components." 

On the other hand, Cohen teaches the abovementioned limitation (column 7, 
lines 1-2) as the system simulates attacks through the network topology from each start 
point to each end point. 

It would have been obvious to one of the ordinary skill in the art at the time of the 
invention to incorporate teachings of Malan into the system of Sung-Do Chi, Apostal, 
and Gupta to provide a better security by quickly and robustly correlating the statistics 
collected from the network to reconstruct the path of the attack. 
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With respect to claim 63-66, Cohen teaches the limitations of " the list of 
components already traversed by an attack is saved in one or more upstream stacks", 
"the upstream stacks comprise a stack containing the exhaustive list of all the 
components traversed, designated by their real name", "wherein the upstream stacks 
comprise a stack containing the list of only those components traversed which are 
opaque, designated by their real name or, as appropriate, by their alleged name", and 
"the list of destination components of an attack is saved in at least one downstream 
stack" (column 7, lines 25-35) as the attack simulation commences from a specified 
attack starting point. The system then loops through a moving front-line algorithm by 
repeatedly evaluating the constraints for every state/graph node that has not yet been 
reached. The moving front-line algorithm continues adding edges to new graph nodes 
until no more states/graph nodes can be reached at which point the process terminates. 

7. Claims 70 and 74-76 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Sung-Do Chi et al. "Network security modeling and cyber attack simulation 
methodology." Information Security and Privacy. 6 th Australian Conference, ACISP 
2001 , 07/1 1/01 , pages 320-333 in view of Apostal D et al "Checkmate network security 
modeling." Proceedings DARPA Information Survivability Conference and Exposition II. 
06/12/01, pages 214-226, vol. 1 and Gupta et al. (US 7,289,456 B2) as applied to claim 
68 above, and further in view of Pitchaikani et al. (US 6,061 ,505). 

With respect to claims 70, it is noted that neither of Sung-Do Chi, Apostal, and 
Gupta explicitly teach the limitation of "the function of interconnection between the 
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components included in two distinct views is ensured only via the common component 
or the common components shared by the two views" (column 10, lines 48-54) as each 
view record of view records includes information about a given logical view, and is 
connected by a plurality of pointers to a plurality of view device records. Each view 
device record of view device records contains an index that indicates which device 
interface exists in a particular logical view. Furthermore, (column 11, line 7) to represent 
this relationship between various views, a plurality of pointers associates each view 
record of view records that represents a view having a subview with the view records in 
view records which represent the one or more subviews. Where subview can be a view 
of the station alone. 

It would have been obvious to one of the ordinary skill in the art at the time of the 
invention to incorporate teachings of Pitchaikani into the system of Sung-Do Chi, 
Apostal, and Gupta to create a logical topology map of the network. 

With respect to claims 74 and 75, it is rejected in view of the same reasons as 
stated in the rejection of claim 70. 

With respect to claim 76, Pitchaikani teaches the limitation of "the modelling 
phase further comprises the specification of one or more basic metrics associated 
respectively with the components" (Table 5; column 1 1 , line 53 - column 1 2, line 5) as 
database includes TopoMonitor records, polling records, location records, describe 
records, ExtView Info records, AppSpecificinfo records, Mgmt Addr records, etc. 
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8. Claims 77-82 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Sung-Do Chi et al. "Network security modeling and cyber attack simulation 
methodology." Information Security and Privacy. 6 th Australian Conference, ACISP 
2001 , 07/1 1/01 , pages 320-333 in view of Apostal D et al "Checkmate network security 
modeling." Proceedings DARPA Information Survivability Conference and Exposition II. 
06/12/01 , pages 214-226, vol. 1 , Gupta et al. (US 7,289,456 B2), and Pitchaikani et al. 
(US 6,061 ,505) as applied to claim 76 above, and further in view of Swiler et al. (US 
7,013,395 B1). 

With respect to claim 77, Sung-Do Chi teaches the limitation of "the basic metrics 
comprise a metric of effectiveness of parries, a metric of effectiveness of detection of 
attacks, and/or a metric of the means of an attacker" (page 327, lines 19-22) as the 
analyzer model is designed to gather the statistics and analyze the performance index 
such as the vulnerability of each component on given network. For the simulation 
convenience, we have defined the component vulnerability as the number of successful 
attacks divided by the total number of attempted attacks. 

In addition, Swiler further teaches the abovementioned limitation as (column 7, 
lines 7-1 1 ) as the attack template also contains an edge weight. When the template is 
instantiated, it returns a value that is the weight on the edge in the attack graph. The 
value may represent time for the attack to succeed, cost to the attacker, etc., depending 
on which metric the user chooses. Furthermore, (column 9, lines 56-64) each node in 
the graph contains information about what user privileges the attacker has obtained, 



Application/Control Number: 10/534,855 Page 17 

Art Unit: 2131 

extra vulnerabilities not implied by the privilege level, and the shortest distance from the 
start to the current node. Distance, in this case relates to the edge weight functions in 
the attack templates and represents such considerations as estimated time, cost, 
degree of effort, and likelihood of detection of the attack. 

It would have been obvious to one of the ordinary skill in the art at the time of the 
invention to incorporate teachings of Swiler into the system of Sung-Do Chi, Apostal, 
Gupta, and Pitchaikani to provide the extensive view of the attack paths and 
advantages gained by the attacker. 

With respect to claims 78-82, they are rejected in view of the same reasons as 
stated in the rejection of claim 77. 

Conclusion 

8. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure: 

a. Piesco (US 7,379,857 B2). 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to KONSTANTIN SHEPELEV whose telephone number is 
(571)270-5213. The examiner can normally be reached on Mon - Thu 8:30 - 18:00, Fri 
8:30- 17:00. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R. Sheikh can be reached on (571)272-3795. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Konstantin Shepelev/ 9/2/2008 
Examiner, Art Unit 2131 
/Ayaz R. Sheikh/ 

Supervisory Patent Examiner, Art Unit 2131 



